Apache - Private IP in URL

Back


Id	db5f16f0-3afe-11ec-8d3d-0242ac130003
Rulename	Apache - Private IP in URL
Description	Detects requests to unusual URL
Severity	Medium
Tactics	InitialAccess
Techniques	T1190 T1133
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePrivateIpInUrl.yaml
Version	1.0.3
Arm template	db5f16f0-3afe-11ec-8d3d-0242ac130003.json

KQL

ApacheHTTPServer
| where UrlOriginal matches regex @'(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})'
| extend UrlCustomEntity = UrlOriginal

YAML

kind: Scheduled
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: UrlCustomEntity
  entityType: URL
name: Apache - Private IP in URL
relevantTechniques:
- T1190
- T1133
triggerOperator: gt
tactics:
- InitialAccess
query: |
  ApacheHTTPServer
  | where UrlOriginal matches regex @'(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.1[6-9]\.\d{1,3}\.\d{1,3})|(172\.2[0-9]\.\d{1,3}\.\d{1,3})|(172\.3[0-1]\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3})'
  | extend UrlCustomEntity = UrlOriginal  
triggerThreshold: 0
status: Available
description: |
    'Detects requests to unusual URL'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePrivateIpInUrl.yaml
queryFrequency: 1h
queryPeriod: 1h
id: db5f16f0-3afe-11ec-8d3d-0242ac130003
requiredDataConnectors:
- connectorId: CustomLogsAma
  datatypes:
  - ApacheHTTPServer_CL
version: 1.0.3

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/db5f16f0-3afe-11ec-8d3d-0242ac130003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/db5f16f0-3afe-11ec-8d3d-0242ac130003')]",
      "properties": {
        "alertRuleTemplateName": "db5f16f0-3afe-11ec-8d3d-0242ac130003",
        "customDetails": null,
        "description": "'Detects requests to unusual URL'\n",
        "displayName": "Apache - Private IP in URL",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "UrlCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ApacheHTTPServer/Analytic Rules/ApachePrivateIpInUrl.yaml",
        "query": "ApacheHTTPServer\n| where UrlOriginal matches regex @'(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(172\\.1[6-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.2[0-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.3[0-1]\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3})'\n| extend UrlCustomEntity = UrlOriginal\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}